Replace the “<department name>”text entries with the name of your department. Note any assumptions that apply to thisrisk assessment. For example, there may be areas of the department that are being excluded or organizational changesthat may impact risks.

Purpose:

This IT Security Risk Assessment will be updated in response to changes in the business environment.The <department name> will review the assessment at least annually.

This document records the information used to assess the IT security risks for the <department name>.It includes the instructions for following the assessment process and recording the conclusions drawnfrom the assessment.

Scope:

This assessment is applicable for the <department name> of the University of Connecticut.

Assumptions:

The assumptions listed below apply to this risk assessment.



.

Location

Provide the address of the department.

University of Connecticut

…

…, Storrs, CT 06269

Contact Information:

Identify the people that are authorized to review or update risk assessment information.

Primary Name &Title

Contact Data

Alternate Name

Contact Data

IT Security RA:<department name>

Page4

of17

Screening

The following questions will determine whether or not your department needs to perform an IT security risk assessment.

Some departments will find that their areas at risk are limited to an identifiable subset of the department. In those cases,

the assessment can target the area(s) at risk and exclude areas that have no significant risks.

Note that many departments keep local copies of student grade reports, faculty promotion and tenure information, or otherfiles. The primary copies of this information

are usually stored and maintained in other locations, but departments thatretain copies for local use are responsible for maintaining the privacy of the information.

If you responded with “yes” to any of the questions, your department should complete a risk assessment as instructedin the rest of this document.

If you responded with “no” to all of the questions, your department does not need to complete a security riskassessment. Retain a copy of this form with your recorded answers.

IT Security RA:<department name>

Page5

of17

Risk Assessment

This section describes the activities for completion of an IT Security Assessment at the University of Connecticut. (Thisprocess is closely modeled after the process described in the Microsoft “Security Risk Management Guide” (which can bedownloaded fromhttp://www.microsoft.com/technet/security/topics/policiesandprocedures/secrisk/default.mspx.) Theguide provides extensive discussion of risk assessment concepts, processes, and tools. While the University’s process mostclosely follows the Microsoft guide, it incorporates process elements and tables from processes documented by NIST,SANS, CMS, and the State of Connecticut’s Department of Information Technology.

Team Roles and Responsibilities

Identify the people responsible for planning and completing the assessment.

Title

Name

Contact Information

IT Security RA:<department name>

Page6

of17

Planning:

List the tasks that are required to complete the assessment.

#

Task

Assignment

1

Develop the work plan and assign responsibilities for completingtasks.

2

Introduce team to Risk Assessment concepts, processes, and tools.

3

Review inventory of assets and resources to verify completeness.(This is trivial when the department’s Description & Inventorydocument is current.)

Identify additional safeguards to be considered for safeguardingagainst risks that have unacceptable impact levels.

14

Select the safeguards to be recommended for implementation.

15

Document the recommended safeguards.

IT Security RA:<department name>

Page7

of17

The material in the following sections of the assessment document is copied directly from the Inventory and Descriptiondocument for this department. It presents the inventory of IT resources and assets that will be considered in thisassessment.

Business Processes

List the key processes performed at this location.

Processes

Description

Frequency

(daily /weekly/monthly)

PersonPerforming Task

Systems Required:

Provide a brief description of the computer applications and databases used at this location.

System Name

Description

Criticality

ApplicationType

(desktop / server/ mainframe)

# DesktopsInstalled

Owner

TechnicalContact

Criticality Ratings:

1–

The organization cannot function without the system.

2–

The organization can function partially without the system.

3–

The organization can function fully without the system.

IT Security RA:<department name>

Page8

of17

Unique Assets:

Provide a brief description of unique equipment or other major assets used at this location.

Asset Description

Qty

Vendor

Details (model #s etc.)

Criticality

Location ofAsset

(Campus /Building /Floor)

Criticality

Ratings:

1–

The organization cannot function without the asset.

2–

The organization can function partially without the asset.

3–

The organization can function fully without the asset.

Data on Stand-alone PC’s:

Provide a brief description of significant data files that are kept on stand-alone PC’s at this location.

Data Description

FileName

BackupFrequency

BackupStorageLocation

University DataClassification

Criticality

PC Owner

The University Data Classifications are defined in the University’s Data Classification Policy:

Registered Confidential

Confidential

For Internal Use

Public / Unclassified

Criticality Ratings:

1–

The organization cannot function without the data.

2–

The organization can function partially without the data.

3–

The organization can function fully without the data.

IT Security RA:<department name>

Page9

of17

Hardcopy Files:

List files that are retained on paper, microfiche, or microfilm.

Description/Name

Qty

Loc

Bldg/Floor

Description ofContents

Criticality

Dup.Stored

Offsite

(yes or no)

Offsite

Location

Retention

Policy

CandidateforImaging

(yes or no)

Criticality Ratings:

1–

The organization cannot function without the files.

2–

The organization can function partially without the files.

3–

The organization can function fully without the files.

Files used but Owned by Other Organizations:

List any files that are used at this location, but are stored at another

location and owned/maintained by a separateorganization.

Description

Criticality

Location

Contact Name

Criticality Ratings:

1–

The organization cannot function without the files.

2–

The organization can function partially without the files.

3–

The organization can function fully without the files.

Offsite File Storage Locations:

List files that are used at this location but stored at another location.

Description

Location

Contact Name

Who has Access?

IT Security RA:<department name>

Page10

of17

Network Diagram:

Include a diagram that shows the major components of the IT network infrastructure that supports the department.Departments that are unable to prepare this should request the diagram from the UITS Network Support Group. Thediagram should show network

For each of the systems used by the department, include a diagram that shows the flow of data through the networkinfrastructure. The diagrams should show data moving within departmental resources, leaving the department, and cominginto the department.

Network Surveys:

If programs like Nessus or SARA have been used to verify the inventory of devices on the network or to assess thevulnerabilities of those devices, include a summary of the findings of the scan.

Previous Risk Assessment(s):

Include a summary of the findings of previous IT Security Risk Assessments, if they provide useful input to this assessment.

IT Security RA:<department name>

Page11

of17

Security Profile:

For each of the assets and resources included in the assessment (refer to the inventory tables shown above), indicate thepotential impact of loss of the resource. This is equivalent to the “exposure” level described in the Microsoft guide and the

“criticality” rating in the Description and Inventory document.

Criticality Ratings:

1–

The organization cannot function without support are “high” impact.

2–

The organization can function partially without support are “medium” impact.

3–

The organization can function fully without support are “low” impact.

The profile may be simplified by grouping individual assets or resources into groups as long as the grouping definition isclearly stated.

Assets and Resources

N/A

Low

Medium

High

Sampleasset

All systems

All unique assets

Data on individual PC’s

䡡牤r潰y⁩渠 潢oy⁯ 晩fe⁡湤⁲n潭o㄰1

䡡牤r潰y⁩渠 a獥浥湴⁡rc桩癥h

啃䡃⁦楬es

Threat Identification:

Review the assets and resources shown in theSecurity Profile and list them in the Assessment Information table. Then usethe Assessment Information Table to document threats to those assets and resources. The files “Threat Table.doc” and“Common Threats.doc” provide examples of common threats.

Vulnerability Identification:

Use the Assessment Information Table to document the vulnerabilities that can be exploited. The file “CommonVulnerabilities.doc” provides examples of common threats. Note that a single threat may have multiple vulnerabilities.

H

M

L

IT Security RA:<department name>

Page12

of17

Current Safeguard Identification:

Use the Assessment Information Table to document the safeguards that have been implemented to minimize the risks of anoccurrence of each asset/threat/vulnerability combination.

Risk Profile:

The marked columns of the assessment information table are the Risk Profile–

documentation of the areas at risk–

highlighting areas that are threatened with no current safeguards.

Threat Occurrence Probability:

Record an estimated probability of occurrence for each threat occurrence. These probabilities should be in the range from0 to 1.0 and be recorded in .1 increments (for example .7 rather than .72).

This assessment only requires that a probability be assigned to each threat occurrence listed. It may be useful toseparately document the reasons for choosing the assigned probability value for each threat occurrence.

Threat Occurrence Impact:

Record an estimated level of impact for each threat occurrence. These can be recorded on a scale from 1 to 10 (with 10 asthe greatest impact) or as an estimated cost in dollars.

This assessment only requires that an impact level be assigned to each threat occurrence listed. It may be useful toseparately document the reasons for choosing the assigned impact level for each threat

occurrence.

Occurrence Expected Impact:

For each threat occurrence, multiply the probability of occurrence by the estimated impact of an occurrence. Thisproduces arelative

measure of the expected impact of a threat occurrence. This measure can be compared to expectedimpacts of other possible occurrences without the effort required to determine precise costs of occurrences.

Acceptable Expected Impact Levels:

Record the level of impact of a threat occurrence that would be acceptable to the department. This assessment onlyrequires that an acceptable impact level be assigned to each threat occurrence listed. It may be useful to separatelydocument the reasons for choosing the assigned level.

If current safeguards result in an impact estimate thatis no greater than the acceptable level, no further safeguards areneeded. If the current safeguards do not reduce the estimated impact to a point below the acceptable level, additionalsafeguards should be considered. In all cases, the “costs” associated with minimizing risk should be less than the “cost”of the threat occurrence.

IT Security RA:<department name>

Page13

of17

Impact Statement:

The marked columns of the assessment information table are the Impact Statement–

documentation of the areas at risk–

highlighting areas that are threatened with no current safeguards.

Additional Safeguard Options:

Record any additional safeguards that could be considered for further reducing the impact of a threat occurrence.

Additional Safeguard Recommendations:

Record any safeguards that are recommended for implementation to further reduce the impact of a threat occurrence.

IT Securitysmileybloat_65f925a2-91dc-4ea9-a8c1-856c1070df2b.doc

Page14

of17

Assessment Information Table:

Risk Profile

Impact Statement

Assets andResources

Threat

Vulnerability

CurrentSafeguard

Safeguard

Defense

Layer

OccurrenceProbability

(A)

OccurrenceImpact

(B)

ExpectedImpact

(A x B)

AcceptableExpectedImpactLevel

AdditionalSafeguardOptions

RecommendedSafeguards

Defense layers are:

Physical/Administrative

Probabilities are 0 to 1.0, in tenths

Application/System

Impact Levels are 1 to 10 or dollar amounts

Server/Workstation .

Network .

Data .

IT Securitysmileybloat_65f925a2-91dc-4ea9-a8c1-856c1070df2b.doc

Page15

of17

Assessment Maintenance Procedures:

Assessment Review and Update Process:

Describe the process for keeping the plan current.

Assessment Distribution Procedures:

Describe the process for distributing the plan and/or training people to use its content.

IT Security RA:<department name>

Page16

of17

Additional Documentation:

Location of Supporting Documentation:

Document Name

Location

Description &InventoryDocument

Risk Assessment

PC Inventory

BCP Document

Current networkdiagram

Data flowdiagrams

Result of networkdeviceverification scan

DoIT SecurityEvaluationReport

Report fromMicrosoftSecurity Risk SelfAssessment

Assessment History:

Date

RevisionSummary

Revised By

IT Security RA:<department name>

Page17

of17

Assessment Sign Off

This assessment accurately describes the information technology security risks faced by thisorganization. The current and recommended safeguards shown in the

Assessment Information Tableprovide an acceptable response to the documented risks.